diff --git a/docs/compatibility.md b/docs/compatibility.md index c4b35ea..70f6223 100644 --- a/docs/compatibility.md +++ b/docs/compatibility.md @@ -15,6 +15,7 @@ |Debian 12 Bookworm|✅| |Ubuntu Jammy|✅| |Fedora 39|✅| +|Nixos 24.05|✅| |Arch|🟨| |Alpine|❌| diff --git a/jlmkr.py b/jlmkr.py index 9f6faee..ad60a5d 100755 --- a/jlmkr.py +++ b/jlmkr.py @@ -1379,6 +1379,7 @@ def create_jail(**kwargs): if ( init_system_name != "systemd" + and parse_os_release(jail_rootfs_path).get("ID") != "nixos" ): print( dedent( diff --git a/templates/nixos/README.md b/templates/nixos/README.md new file mode 100644 index 0000000..9181243 --- /dev/null +++ b/templates/nixos/README.md @@ -0,0 +1,35 @@ +# Nixos Jail Template + +## Disclaimer + +**Experimental. Using nixos in this setup hasn't been extensively tested and has [known issues](#known-issues).** + +## Setup + +Check out the [config](./config) template file. You may provide it when asked during `./jlmkr.py create` or, if you have the template file stored on your NAS, you may provide it directly by running `./jlmkr.py create --start --config /mnt/tank/path/to/nixos/config mynixosjail`. + +## Manual Setup + +```bash +# Create the jail without starting +./jlmkr.py create --distro=nixos --release=24.05 nixos --network-bridge=br1 --resolv-conf=bind-host --bind-ro=./lxd.nix:/etc/nixos/lxd.nix +# Create empty nix module to satisfy import in default lxc configuration.nix +echo '{ ... }:{}' > ./jails/nixos/lxd.nix +# Start the nixos jail +./jlmkr.py start nixos +sleep 90 +# Network should be up by now +./jlmkr.py shell nixos /bin/sh -c 'ifconfig' +# Try to rebuild the system +./jlmkr.py shell nixos /bin/sh -c 'nixos-rebuild switch' +``` + +## Known Issues + +### Environment jlmkr exec + +Running `./jlmkr.py exec mynixosjail ifconfig` doesn't work because the shell environment isn't setup properly. You can run `./jlmkr.py shell mynixosjail /bin/sh -c 'ifconfig'` or `./jlmkr.py exec mynixosjail /bin/sh -c '. /etc/bashrc; ifconfig'` instead. + +### Bridge networking only + +This setup has NOT been tested with macvlan networking. \ No newline at end of file diff --git a/templates/nixos/config b/templates/nixos/config new file mode 100644 index 0000000..4411aa9 --- /dev/null +++ b/templates/nixos/config @@ -0,0 +1,54 @@ +startup=0 +gpu_passthrough_intel=0 +gpu_passthrough_nvidia=0 +# Turning off seccomp filtering improves performance at the expense of security +seccomp=1 + +# Use bridge networking to provide an isolated network namespace, +# so nixos can manage firewall rules +# Ensure to change br1 to the interface name you want to use +# You may want to add additional options here, e.g. bind mounts +systemd_nspawn_user_args=--network-bridge=br1 + --resolv-conf=bind-host + --bind-ro=./lxd.nix:/etc/nixos/lxd.nix + +# Script to run on the HOST before starting the jail +pre_start_hook=#!/usr/bin/env bash + set -euo pipefail + echo 'PRE_START_HOOK' + + # If there's no machine-id then this we're about to start the jail for the first time + if [ ! -e ./rootfs/etc/machine-id ]; then + echo 'BEFORE_FIRST_BOOT' + # Create empty nix module to satisfy import in default lxc configuration.nix + echo '{ ... }:{}' > ./lxd.nix + fi + +# Only used while creating the jail +distro=nixos +release=24.05 + +# # Example initial_setup which rebuild the system, +# # for when you mount your own /etc/nixos/configuration.nix inside the jail +# initial_setup=#!/run/current-system/sw/bin/bash +# . /etc/bashrc +# set -x +# ifconfig +# nixos-rebuild switch +# echo "All Done" + +# You generally will not need to change the options below +systemd_run_default_args=--property=KillMode=mixed + --property=Type=notify + --property=RestartForceExitStatus=133 + --property=SuccessExitStatus=133 + --property=Delegate=yes + --property=TasksMax=infinity + --collect + --setenv=SYSTEMD_NSPAWN_LOCK=0 + +systemd_nspawn_default_args=--keep-unit + --quiet + --boot + --bind-ro=/sys/module + --inaccessible=/sys/module/apparmor \ No newline at end of file